updated 09:50 pm EST, Tue January 11, 2011

Trend Micro warns Android inherently vulnerable

Trend Micro chairman Steve Chang warned in an interview published today that Android was significantly more open to attack than iOS. Google's decision to allow some open-sourcing and to have only a light approval touch let malicious coders get more information about how to stage viruses and other malware. Apple's decision to close off much of the iPhone OS, sandbox code and to vet apps more closely may have antagonized some, Chang told Bloomberg, but has also led to a more secure platform.

"We have to give credit to Apple, because they are very careful about it," he said.

It was virtually "impossible" for some kinds of rogue code to work on an iOS device, he explained. Viruses that deliberately 'decompose' to avoid being recognized by antivirus scanners and then reassemble afterwards can work on Android but won't succeed on iOS. He didn't explain what made this possible, though Android apps are allowed to extend or modify parts of the main OS where these are usually fenced off on iOS.

iOS was still vulnerable, Chang emphasized, but mostly to social attacks where customers were tricked into voluntarily compromising the security of a device. Most significant security issues in iOS have come from visiting specially crafted websites that take advantage of an unpatched exploit.

Android has often been embraced for the greater amount of flexibility that comes from its more open structure. Advocates of open-source, both on Android and elsewhere, have noted that the same ease of exploiting vulnerabilities often helps speed up patching or of finding exploits ahead of hostile users. Google itself also dismissed the risk by noting that every app by its nature involved a certain amount of faith in its creator's honesty. Android always gives users a list of permissions the app needs to run, which Google hoped would be enough.

"On all computing devices, users necessarily entrust at least some of their information to the developer of the application they're using," it said.

Apple has been criticized for limiting the potential of its platform by restricting what apps are allowed to do and preventing the installation of non-Store titles. As a consequence, however, stories of substantial malware have been almost non-existent and usually reserved for jailbroken phones whose defenses have been left open.

Regardless of OS, Trend Micro's Chang had a vested interest in discussing vulnerabilities, as he had both a full antivirus app for Android and a less extensive security app for iOS users.

Android is less secure, but not for this reason

If a security hole is found on iOS, Apple can patch it immediately on almost all iPhones, iPod Touches, and iPads. This can even include older devices that don't support iOS 4.x.

If a security hole is found on Android, Google may publish a patch, but it will be up to the individual manufacturers to apply the patch on all of their Android devices. Since the manufacturers are unable or unwilling to keep their Android phones up to date, most Android phones will remain with whatever security hole was discovered.

Not too sure where Windows 7 PHone states with this issue. Microsoft claims they'll push the updates, but its never been done.

fAndroids don't care about things like that...

they actually prefer it. It makes their devices easier to hack which seem to like to do so much of. Tough luck for the low-tech consumers using Android smartphones, though. They probably don't even have a clue about such stuff. I'll take the "closed garden" platform any day for the masses of unsuspecting consumers. Just not enough high-tech users to make an easily compromise-able platform worthwhile.

Android is far more insecure

Android is far more insecure than iOS by design, though not necessarily because of its open source nature and is already suffering the fallout despite having half the installed base wordlwide.

The proof is in the pudding. It is Android and the Android Marketplace that has suffered multiple malware outbreaks such as:

- More than 50 Android mobile banking apps in the Android Marketplace each targeted at a specific financial institution whose true purpose was phishing and identity theft.
- the wallpaper app that was downloaded 4 million times which maliciously forwarded user details to a location in China before being discovered.
- the Geinimi botnet app that is infecting numerous Android apps on Chinese app stopres and spreading around the world.
- Trojan-SMS.AndroidOS.FakePlayer.a, the Russian "Movie player" app that surreptitiously sent premium SMS texts from unsuspecting users
- Brand new HTC Magic phones infected with the Mariposa botnet and Conficker and a Lineage password-stealing Trojan that attepmt to infect Windows PCs when connected onver USB.
- Mobile Spy and Mobile Stealth
- SMS Message Spy Pro and SMS Message Spy Lite spyware apps

In contrast, despite hosting over a third of a million apps and 7 billion downloads, there have been Zero pieces of malware come through the iOS App Store. A 100% safety record. Not bad, and good reassurance for a public tired of virus-riddled PCs.

Then of course there is the side-loading of apps with absolutely any nasty thing being possible in Android and no review of apps at all in the Marketplace and we are talking a completely different level of insecurity and exposure.

iOS requires signed code and enforces strict sand-boxing and provides hardware encryption all of which Android lacks. Instead Android throws up a Vista-like screen of permissions for each app which the average user is not necessarily going to read or understand.
All developers on the iOS store have far more stringent monetary and ID checks to post apps so the chances of mischief are so much less as to be negligible in comparison.

iPhone is actually worse

When you install an application (whether from the Market or from side loading it), it can only be installed after you have seen the permissions and allowed it. It would be better if one could have more granular permission settings allowing some, but not others. But even as it stands, in practice, hardly anyone pays attention to the permissions and most will just click on the Accept button. But if you are paranoid, you at least have the option. However, there hasn't been a single true malaware since Android apps all run in sandboxes and can't really mess up your phone.

In the case of iPhones, you don't even know what parts of the phone and system are actually being compromised. As has been seen by just two recent apps that were pulled from the App Store after being accepted. One disguised as a flashlight doing tethering and the other for using the volume button for taking photos. Both these were actually useful apps. Now imagine the real malaware that has slipped through the approval process. You have no idea what apps are sending what information, where.

And by sheer coincidence...

Re: Android is far more insecure

Yes, Android is far more insecure. Because Android makes the drastic mistake of letting the user actually have some say in the apps they use or download.

Apparently the iOS lovers fall under the desire for a 'nanny-state'. They can't be bothered doing something so simple as trusting what you install or anything. They want someone else to tell them "Everything's OK. You can do this, that, or whatever".

But it also is a huge false sense of security. Apple has no way to really tell what an app is doing with the data it is collecting or where it might send it. They can try to do scans, but programmers can just beat those by programming the app not to perform those tasks prior to approval. They can supposedly stop apps from using internal APIs, and yet there are apps that get approved that use them. (Remember the Flashlight app that enabled tethering?)

The open nature of Android also makes it far easier for users and 'experts' to track and monitor what their OS is actually doing, and, in turn, finding all this malware and botnets you claim are rampaging through the Android universe. Here's a question: What network monitoring tools does the user have on the iPhone to allow them to see what apps are transmitting data to various servers and the like? What access to the OS do users have to verify that programs can't access the data of other programs? Oh, right. None. So the 'security' of the OS is all in 'security by obscurity'.

In contrast, despite hosting over a third of a million apps and 7 billion downloads, there have been Zero pieces of malware come through the iOS App Store. A 100% safety record. Not bad, and good reassurance for a public tired of virus-riddled PCs.

That is an incorrect statement. All you can say is that there have been zero pieces of confirmed malware that have been distributed through the AppStore. For all you know, there's 50 apps on the store performing all sorts of malware tactics. Just because they haven't been discovered doesn't mean they don't exist.

Oh, and do we not count the apps that were caught? For example, the Storm8 games that were sending your cell phone number back to their servers? How is that not malware?

No, iPhone is far better less insecure

os2baba and testudo,
I'm sorry but your attempts at diminishing the malware issues on Android and inflating issues on iOS just does not wash. If iOS is so bad, where are the viruses and trojans? Give us some proof.

And no, apps sending the odd bit of personal data just does not wash as an argument compared to an operating system that relies on its existence to the ultimate personal data harvesting machine of all time - Google and its advertising raison d'etre. Likewise, apps with a few useful easter eggs do not count either in the face of an app that will send premium SMS text messages in the background without your knowledge or 50 bank phishing apps in Google's very own Marketplace itselfs. What-ifs are no argument whatsoever.

The average user is not going to be happy when he or she realises they need to install processor-sucking ram-hogging anti-virus software on their Android smartphone, a device which already strains under limited resources. There is a reason Apple has designed their mobile iOS platform as a more secure platform than the malware-riddled world of desktop computing.

You are happy to boast of the advantages of an anything-goes, install anything you want, from anywhere you want Android OS. You'll just have to admit there are some major disadvantages to this model as well. Heck, you are not even guaranteed that apps downloaded from the approved Android Marketplace are safe and you have the gall to criticise users who just want a device that works, who don't want to have to worry about all that c*** and are happy with Apple's curated, vertically-integrated ecosystem. After all, it is iOS that has all the best apps and far more of them than Android.

Of course, iOS users alway have the option of jail-breaking their devices if they do want to leave the safe rich walled garden and walk out on the mean streets - they also just need to be aware of the potential consequences as well.

testudo

what an incredibly lame (even for you) argument.

"That is an incorrect statement. All you can say is that there have been zero pieces of confirmed malware that have been distributed through the AppStore. For all you know, there's 50 apps on the store performing all sorts of malware tactics. Just because they haven't been discovered doesn't mean they don't exist. "

and, while we're at it, all one can say is that earth has the only living creatures in the whole of the universe. and one can say is that there are only 3 dimensions. all one can say is just because no one has discovered the color bryptayx yet doesn't mean it doesn't exist.

seriously, that's all you got?

"Oh, it is soooooo true!"

and just as soon as a post is made (any post) testudo will appear and make some stupid a$$ comment about the posters on this site. ad nauseum.